Display the number of packets that match each rule in the table. So you can locate unnecessary packetfilter rules. Should be able to reset the hit counter(s) as needed, along with a tooltip to show the last time(s) of the previous few hits.

In order to make fine tuning of our product packet filter configuration easier, we should add a way to create packet filter rules with a small wizard so that if i see any packet that i want to explicitly drop or allow i can start a mini-wizard that helps to create a matching packet filter rule by either selecting existing definition objects or offering an easy way to create new definition objects, which later than get used in the pf rule..

Extended the exceptions functionality to allow for specific rules as part of an exception.

This will allow for much more granular IPS exceptions in being able to specify a rule be disable/excepted only for a certain traffic flow, like for rule 2122 from Internet to Webserver, without disabling the rule globally or by exempting the resource from IPS fully.

It would be nice to have the ability to define network definitions by whois AS number.
eg. you could make a definition for all the Telenet public subnets by adding a Definition Telenet-subnet with a parameter AS 6848.
The AS number database is rebuilt on a daily basis, and could be synced just like the spam, antivirus and content filter databases are synced or updated.

It would be useful if the VoIP proxy was able to be assigned to a particular interface. If I have an internal VoIP server, it may not be on the same address as my default gateway, so it would be useful to assign another gateway interface instead of using policy based routing.

I'd like to turn on 'reactive rules' to start dropping all traffic from source IPs that trip a threshold of IPS or PF rules.

Say someone is scanning your website for IIS vulnerabilities and trips 20 IPS rules in 1 minute (administrator defined parameters), then the UTM would create a rule at the top to block all traffic to and from the attacking source IP.

Bonus points for letting the rule dissolve after N hours as well as being able to turn this rule on for specific interfaces or subnets, You could link it to the geo-location system so that this adaptive/reactive defense can be turned on for Chinese source IPs only for example.

I'd like to turn on 'reactive rules' to start dropping all traffic from source IPs that trip a threshold of IPS or PF rules.

Say someone is scanning your website for IIS vulnerabilities and trips 20 IPS rules in 1 minute (administrator defined parameters), then the UTM would create a rule at the top to block all traffic to and from the attacking source IP.

Bonus points for letting the rule dissolve after N hours as well as being able to turn this rule on for specific interfaces or subnets, You could link it to the geo-location system so that…